Cyber Resilience

CVE-2022-26925

HighCISA KEVActive ExploitationEUVD Exploited

Published: 10 May 2022

Published
10 May 2022
Modified
30 October 2025
KEV Added
01 July 2022
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3743 97.3th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26925 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).

Deeper analysis

Windows LSA Spoofing Vulnerability CVE-2022-26925 affects the Local Security Authority component in Windows and carries a CVSS 3.1 base score of 8.1. The weakness is categorized under CWE-306 and permits an unauthenticated network attacker to spoof LSA communications under conditions of high attack complexity.

An attacker positioned on the network can exploit the flaw without credentials or user interaction to achieve high impact on confidentiality, integrity, and availability, effectively allowing impersonation of privileged security functions that the LSA performs.

Microsoft security advisories at the listed MSRC URLs detail available patches and configuration guidance, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, indicating that federal agencies must apply mitigations according to the published timelines.

The EPSS score rose sharply from a low baseline after disclosure to a peak of 0.9742 on 2023-04-22 before receding to the current value of 0.3743, demonstrating that exploitation interest increased substantially months after the initial release.

EU & UK References

Vulnerability details

Windows LSA Spoofing Vulnerability

CWE(s)
KEV Date Added
01 July 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19297
microsoft
windows 10 1607
≤ 10.0.14393.5125
microsoft
windows 10 1809
≤ 10.0.17763.2928
microsoft
windows 10 1909
≤ 10.0.18363.2274
microsoft
windows 10 20h2
≤ 10.0.19042.1706
microsoft
windows 10 21h1
≤ 10.0.19043.1706
microsoft
windows 10 21h2
≤ 10.0.19044.1706
microsoft
windows 11 21h2
≤ 10.0.22000.675
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
+7 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication on LSA functions so an unauthenticated attacker cannot spoof communications to obtain elevated access.

prevent

Requires identification and authentication of services before LSA accepts or acts on their communications, blocking the spoofing vector.

prevent

Protects the integrity of LSA network communications, preventing the spoofing that leads to confidentiality/integrity/availability compromise.

References